Description
After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s).
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.15.6
- Patched version(s): 5.15.8
References
Related Issues
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Quill is vulnerable to XSS via HTML export feature - CVE-2025-15056
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
You might also like:
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 19, 2025